Los Altos Hacks X • April 11–12, 2026

Code breaks.
Find why.

The AI Vulnerability Detective — proactively finding what you didn't know you accepted.

Dependency graph reasoning • Two-tier LLM analysis • Real-time streaming results

See the Problem → See the Solution
autopsy — zsh
$

Built with

Python
FastAPI
Tree-sitter
NetworkX
Claude Haiku
Claude Sonnet
VS Code Extension
TypeScript
THE PROBLEM

AI writes code fast.
Nobody checks it.

Claude Code, Copilot, and Cursor generate code fast — but developers accept suggestions they don't fully understand.

Bugs hiding in AI-generated code don't just break things. They become attack surfaces — SQL injection, XSS, path traversal, hardcoded secrets — all accepted with a single keystroke.

The faster you ship, the less you review. That gap between "generated" and "understood" is where vulnerabilities live.

~0%
of devs use AI coding tools daily
0x
faster code shipping with AI
0%
of AI code contains vulnerabilities
??%
understand every line they merge
WHO IT'S FOR

Built for everyone shipping AI-generated code.

Whether you're a solo developer or leading a team, if AI writes your code, you need Autopsy watching your back.

💻
Developers Using AI Tools

You use Copilot, Cursor, or Claude Code daily. You accept suggestions fast and ship faster. But you can't manually review every line AI generates.

Scenario: You accept a Copilot suggestion for a database query. Autopsy catches the SQL injection before it reaches production.
👥
Engineering Teams & Leads

Your team ships 3x faster with AI tools, but code review can't keep pace. You need automated, intelligent security checks that understand code context.

Scenario: A junior dev merges AI-generated auth code. Autopsy flags the missing authorization check in the PR before it ships.
🔒
Security-Conscious Teams

Traditional SAST tools miss context. They flag thousands of false positives. You need a tool that understands dependency relationships and attack scenarios.

Scenario: Autopsy traces a path traversal vulnerability across 4 files using the dependency graph — something grep-based scanners can't do.
THE SOLUTION

Three modes. One mission.

Each mode uses dependency graph reasoning and two-tier LLM analysis to go beyond surface-level scanning.

🐛
DEBUG THIS

Traces errors across your dependency graph. Finds root causes — not just where the exception was thrown.

  • Bidirectional graph traversal from target file
  • Causal chain tracing across modules
  • Blast radius analysis
  • Specific fix locations with code suggestions
  • Real-time streaming output
Cmd+Shift+D
🛡
SCAN THIS

Flags AI-generated code. Detects 9 vulnerability categories with severity levels and concrete attack scenarios.

  • AI-generated code detection (6+ heuristics)
  • SQLi, XSS, SSRF, path traversal detection
  • Severity levels: CRITICAL / HIGH / MEDIUM / LOW
  • Concrete attack scenarios for each finding
  • VS Code inline diagnostics & squiggly underlines
Cmd+Shift+S
🌎
ORIENT ME

Maps any repo instantly. Architecture, data flow, entry points, complexity hotspots — all in seconds.

  • Full repository architecture overview
  • Module map with connections
  • Data flow analysis (entry → processing → storage)
  • Complexity hotspots (most-called functions)
  • Key external dependency analysis
Cmd+Shift+O
HOW IT WORKS

Dependency graph reasoning —
not just line-by-line scanning.

Four stages. Parse → Graph → Triage → Reason. Each step narrows context so the deep model sees only what matters.

01
📄
Parse

Tree-sitter extracts every function, import, and call from your entire repo into a structured AST.

Python • JS • TS • TSX
02
🔬
Graph

NetworkX builds a dependency graph — nodes are functions and modules, edges are imports and calls.

NetworkX • Directed graph
03
Triage

Claude Haiku rapidly identifies the causally relevant subset — cheap, fast, and precise.

Claude Haiku • JSON output
04
🔎
Reason

Claude Sonnet traces root cause across files and streams findings in real time to your terminal or editor.

Claude Sonnet • SSE streaming
LIVES WHERE YOU CODE

VS Code & CLI.
Same engine, two interfaces.

Full VS Code extension with streaming panels, inline diagnostics, and command palette integration. Or use the standalone CLI.

app.py — Autopsy
14from flask import request
15
16def get_user(user_id):
17  query = f"SELECT * FROM users WHERE id={user_id}"
18  result = db.execute(query)
19  return result.fetchone()
20
21def render_profile(user):
22  return f"<h1>{user['name']}</h1>"
23
24# TODO: add auth check
25def delete_user(user_id):
26  db.execute(f"DELETE ...")
💀 AUTOPSY — SCAN
[CRITICAL] SQL Injection
app.py:17 — f-string in query
Attack: user_id = "1 OR 1=1"
[HIGH] Stored XSS
app.py:22 — unescaped HTML
Attack: name = "<script>..."
[MEDIUM] Auth Bypass
app.py:25 — no auth check
Any user can delete
  • Streaming webview panel — live markdown output at 8 updates/second as the LLM reasons through your code.
  • Inline diagnostics — squiggly underlines on vulnerable lines, severity in the Problems panel, gutter icons.
  • Command palette — Debug This, Scan This, Orient Me, and Show Graph available from Cmd+Shift+P.
  • Auto-start server — extension launches the FastAPI backend automatically. Zero setup after install.
  • Interactive graph — canvas-rendered dependency visualization with pan, zoom, and node tooltips.
WHY AUTOPSY

Other tools help when you ask.
Autopsy figures out what to ask.

Copilot and Claude Code are powerful — but they only find vulnerabilities when you know what to look for.

Capability Copilot / Cursor Claude Code AUTOPSY
Generates code
Explains code if you ask
Finds vulns if you paste + ask
Knows which files to look at
Proactive — no pasting required
Dependency graph reasoning
AI-generated code detection
Cross-file root cause tracing
THE IMPACT

This isn't a future problem.
It's happening right now.

AI-generated code is everywhere. The security gap is growing. Autopsy closes it.

0%
of developers use AI coding tools
GitHub's 2025 survey shows near-universal adoption. Every one of them needs a safety net.
$0B
annual cost of software vulnerabilities
NIST estimates billions lost yearly to exploitable bugs. AI code generation is accelerating the problem.
0
vulnerability categories detected
SQLi, XSS, SSRF, path traversal, auth bypass, secrets, race conditions, command injection, unvalidated input.
AI tools create code. Autopsy creates trust.
Every AI coding tool makes developers faster. None of them make developers safer. Autopsy is the missing layer — the security second opinion that reads your dependency graph, detects AI-generated code, and tells you what you missed. No pasting, no prompting, no manual review required.

Stop trusting.
Start verifying.

AI wrote it. You accepted it. Autopsy finds what you missed — and what it could cost you.

Back to Top → See the Solution